现象描述
最近现上有一个两年前的业务,一直稳定运行,最近几天发现频繁出现业务不可用的情况,后来运维每天重启网关解决。开始没有太关注,以为是服务器不稳定。后来查看日志,发现如下报错信息:
报错日志除图片外,也单独放文本一份
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.rangeCheck(ArrayList.java:657) ~[na:1.8.0_161]
at java.util.ArrayList.get(ArrayList.java:433) ~[na:1.8.0_161]
at org.springframework.cloud.gateway.route.RouteDefinitionRouteLocator.combinePredicates(RouteDefinitionRouteLocator.java:213) ~[spring-cloud-gateway-core-2.1.2.RELEASE.jar!/:2.1.2.RELEASE]
at org.springframework.cloud.gateway.route.RouteDefinitionRouteLocator.convertToRoute(RouteDefinitionRouteLocator.java:142) ~[spring-cloud-gateway-core-2.1.2.RELEASE.jar!/:2.1.2.RELEASE]
at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:100) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap$FlatMapMain.drainLoop(FluxFlatMap.java:664) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap$FlatMapMain.drain(FluxFlatMap.java:540) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap$FlatMapInner.onSubscribe(FluxFlatMap.java:924) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:139) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:63) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.Flux.subscribe(Flux.java:7921) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap$FlatMapMain.onNext(FluxFlatMap.java:389) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable$IterableSubscription.slowPath(FluxIterable.java:243) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable$IterableSubscription.request(FluxIterable.java:201) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap$FlatMapMain.onSubscribe(FluxFlatMap.java:335) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:139) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:63) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap.subscribe(FluxFlatMap.java:97) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
这个是Spring Cloud Gateway 远程代码执行漏洞(CVE-2022-22947)导致的。详细漏洞描述参见:
https://tanzu.vmware.com/security/cve-2022-22947
哎,估计近期这台服务器上的业务被人盯上了,安全第一,我分为两步解决此问题。
解决方案
方案一(临时方案):在生产上禁用 Gateway actuator 接口
方式一:关闭暴露监控端点
management:
endpoints:
enabled-by-default: false
web:
exposure:
include: '*'
方式二:关闭网关的端点
management:
endpoint:
gateway:
enabled: false
方案二
升级Spring Cloud Gateway的版本至最新版本
详见https://cloud.tencent.com/developer/article/1950978
官方的ISSUE说明:
- https://github.com/spring-cloud/spring-cloud-gateway/issues/1915
- https://github.com/spring-cloud/spring-cloud-gateway/issues/2542
项目案例
MateCloud微服务项目已经升级至最新的安全版本,所有源码均开源,请参见:
https://gitee.com/matevip/matecloud
